From c23116fb2941881526f644ecb48cf17204127fd0 Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Sun, 5 Nov 2023 03:12:35 +0100
Subject: [PATCH] bob: init
---
base.nix | 3 ++
flake.lock | 51 ++++++++++++++++++++--------
flake.nix | 14 +++++++-
hosts/bob/configuration.nix | 46 +++++++++++++++++++++++++
hosts/bob/disks.nix | 39 +++++++++++++++++++++
hosts/bob/hardware-configuration.nix | 24 +++++++++++++
misc/builder.nix | 5 +++
users/danio.nix | 7 +++-
values.nix | 4 +++
9 files changed, 176 insertions(+), 17 deletions(-)
create mode 100644 hosts/bob/configuration.nix
create mode 100644 hosts/bob/disks.nix
create mode 100644 hosts/bob/hardware-configuration.nix
create mode 100644 misc/builder.nix
diff --git a/base.nix b/base.nix
index f839f9f..69c4920 100644
--- a/base.nix
+++ b/base.nix
@@ -71,6 +71,9 @@
users.groups."drift".name = "drift";
+ # Trusted users on the nix builder machines
+ users.groups."nix-builder-users".name = "nix-builder-users";
+
services.openssh = {
enable = true;
extraConfig = ''
diff --git a/flake.lock b/flake.lock
index 2ca51b4..19a7ed9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
{
"nodes": {
+ "disko": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1699099781,
+ "narHash": "sha256-2WAs839yL6xmIPBLNVwbft46BDh0/RAjq1bAKNRqeR4=",
+ "owner": "nix-community",
+ "repo": "disko",
+ "rev": "548962c50b8afad7b8c820c1d6e21dc8394d6e65",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "disko",
+ "type": "github"
+ }
+ },
"grzegorz": {
"inputs": {
"nixpkgs": [
@@ -45,11 +65,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1697420972,
- "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=",
+ "lastModified": 1697936579,
+ "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
- "rev": "1e370b96223b94d52006249a60033caaea605c65",
+ "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9",
"type": "github"
},
"original": {
@@ -60,11 +80,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1697706247,
- "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=",
+ "lastModified": 1699024625,
+ "narHash": "sha256-abDyXs00jZtQcTrujB/a9MaIp7VY5v1VDVCF4zhXVYE=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3",
+ "rev": "556a75f6a1302b6718fecd3ca8cbd109eb6cb067",
"type": "github"
},
"original": {
@@ -91,11 +111,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1697332183,
- "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=",
+ "lastModified": 1698544399,
+ "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935",
+ "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9",
"type": "github"
},
"original": {
@@ -127,6 +147,7 @@
},
"root": {
"inputs": {
+ "disko": "disko",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
@@ -144,11 +165,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1697339241,
- "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=",
+ "lastModified": 1699021419,
+ "narHash": "sha256-oy2j2OHXYcckifASMeZzpmbDLSvobMGt0V/RvoDotF4=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "51186b8012068c417dac7c31fb12861726577898",
+ "rev": "275b28593ef3a1b9d05b6eeda3ddce2f45f5c06f",
"type": "github"
},
"original": {
@@ -159,11 +180,11 @@
},
"unstable": {
"locked": {
- "lastModified": 1697713104,
- "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=",
+ "lastModified": 1699087154,
+ "narHash": "sha256-Eq8VMqpRtMonqeOlLi+F86S39l+RLx/0EbqystNaswc=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449",
+ "rev": "e4082efedb483eb0478c3f014fa851449bca43f9",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index ed131af..26baabd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,9 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+ disko.url = "github:nix-community/disko";
+ disko.inputs.nixpkgs.follows = "nixpkgs";
+
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
@@ -19,7 +22,7 @@
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
};
- outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
+ outputs = { self, nixpkgs, disko, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs:
let
nixlib = nixpkgs.lib;
systems = [
@@ -77,6 +80,15 @@
];
};
bekkalokk = stableNixosConfig "bekkalokk" { };
+ bob = stableNixosConfig "bob" {
+ modules = [
+ ./hosts/bob/configuration.nix
+ sops-nix.nixosModules.sops
+
+ disko.nixosModules.disko
+ { disko.devices.disk.disk1.device = "/dev/vda"; }
+ ];
+ };
ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { };
diff --git a/hosts/bob/configuration.nix b/hosts/bob/configuration.nix
new file mode 100644
index 0000000..674dac3
--- /dev/null
+++ b/hosts/bob/configuration.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, values, ... }:
+{
+ imports = [
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ ../../base.nix
+ ../../misc/metrics-exporters.nix
+ ./disks.nix
+
+ ../../misc/builder.nix
+ ];
+
+ sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+ sops.age.generateKey = true;
+
+ boot.loader.grub = {
+ enable = true;
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ networking.hostName = "bob"; # Define your hostname.
+
+ systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+ matchConfig.Name = "en*";
+ DHCP = "yes";
+ gateway = [ ];
+ };
+
+ # List packages installed in system profile
+ environment.systemPackages = with pkgs; [
+ ];
+
+ # List services that you want to enable:
+
+ # This value determines the NixOS release from which the default
+ # settings for stateful data, like file locations and database versions
+ # on your system were taken. It‘s perfectly fine and recommended to leave
+ # this value at the release version of the first install of this system.
+ # Before changing this value read the documentation for this option
+ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+ system.stateVersion = "23.05"; # Did you read the comment?
+
+}
diff --git a/hosts/bob/disks.nix b/hosts/bob/disks.nix
new file mode 100644
index 0000000..b2271dd
--- /dev/null
+++ b/hosts/bob/disks.nix
@@ -0,0 +1,39 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+ disko.devices = {
+ disk.disk1 = {
+ device = lib.mkDefault "/dev/sda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ name = "ESP";
+ size = "500M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/hosts/bob/hardware-configuration.nix b/hosts/bob/hardware-configuration.nix
new file mode 100644
index 0000000..a97a3c3
--- /dev/null
+++ b/hosts/bob/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/misc/builder.nix b/misc/builder.nix
new file mode 100644
index 0000000..6f3847a
--- /dev/null
+++ b/misc/builder.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+ nix.settings.trusted-users = [ "@nix-builder-users" ];
+}
diff --git a/users/danio.nix b/users/danio.nix
index 1ce1e53..36bfefa 100644
--- a/users/danio.nix
+++ b/users/danio.nix
@@ -3,7 +3,12 @@
{
users.users.danio = {
isNormalUser = true;
- extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user.
+ extraGroups = [ "drift" "nix-builder-users" ];
shell = pkgs.zsh;
+
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpGSDczzDOhTETCj+uB5e3/9QbOCaVW1knM+n1ey0n6LXH7uiPPmzuZiqfzmfbB1z4bjM2zpn3D6Et6zRCrBUjhTZqf/5GoNlvhVA6QYmBmBp98b8oY7juj5cmu55voxD0S5rC1mQMnWAAf8e8OPbkhs9Lt0XlOYdotLNIZQubzWqE2DK45g/h17ELJs+jkNXoalFjLvLXWzE/C+3pYoeNJVGHfVMTIwt7o64E6JXhxuYTYdSIuzd+BjntkSCXzcAzBFMRwkdlFVoBtLUMMcMQl39kcXv7lAQ8pv+8b1j1N9WuQVf1qEAcZguaimI1ifbXP5d841pZPApCj5KXectIEldfTrcwg8rZpd2UfYS/3XCcOuidBGprY7XsU/jz8wHbH68UjUrsLyaOMnG2ChYztnf63vm3gRs3Fc6FqTycpgYOPDeZBVTcMyPGgtiZvhnTeY20xFS5lK6M+dmgaDqH24kPLiwYSpUF2NK+Rg/2bZxvt/GaSr4U6fJGi3FCJOM= root@DanixLaptop"
+ ];
};
}
diff --git a/values.nix b/values.nix
index fdd9093..d69cdee 100644
--- a/values.nix
+++ b/values.nix
@@ -37,6 +37,10 @@ in rec {
ipv4 = pvv-ipv4 209;
ipv6 = pvv-ipv6 209;
};
+ bob = {
+ ipv4 = "129.241.152.254";
+ # ipv6 = ;
+ };
shark = {
ipv4 = pvv-ipv4 196;
ipv6 = pvv-ipv6 196;